I was recently re-reading ISO 31000 because that's what one does for fun (don't you?). Surprisingly I noticed on a few occasions that using heat maps (or qualitative RM) appears to not align with the guidelines.

Another strong signal that FAIR and cyber risk quantification is emerging as the way that inforisk gets reported up to the board and senior management: CyberVista, the leading cybersecurity education and workforce development company known for its board director education work has aligned the curriculum of its popular Resolve cybersecurity training with FAIR

Skeptics about the FAIR model love to scoff at quantitative risk analysis and dismiss it as mere “guesswork.” I have encountered this assertion several times while conducting analyses and I welcome the challenge each time; I view it as an invitation to a discussion.

Our professional team here at RiskLens has been steadily growing for the past two years. Our risk consultants come from a variety backgrounds; with and without direct prior experience in risk management.

Prior to adopting FAIR to define and quantify risks as loss events, most organizations grapple with the all too common misconception that control deficiencies are the same things as risks. This confusion not only alters the way organizations think about risk, but also the way they discuss and communicate risk

With all the news about Russian hackers targeting US utility plant networks, we're bringing back into view this blog post about cyber risk quantification for utility operators, by Industrial Control System (ICS) authority Michael Radigan of Leidos Cyber, Inc.

Managing risk professionally means managing our own cognitive biases to effectively represent the risk facing our organizations. Overcoming the biases that each one of us brings to an analysis is a challenge and the only way to effectively manage this is by being actively aware of our own limitations in our perception of reality.